Common examples of firewall rules

The firewall rule examples on this page describe common use-cases. These examples are not mutually exclusive. You can combine the rules as appropriate for your business configuration.

If you haven't done so already, read the firewall and the firewall rules reference documentation.

Allow SSH traffic

To allow SSH access from any IP address to all instances in a data center, create the following rule:

$ triton fwrule create "FROM any TO all vms ALLOW tcp PORT 22"
Created firewall rule 589f1458-d42b-4bad-9613-d738ce074225

Firewall rules are enabled by default if you create them using triton. You can set the —disabled option using -d and enable the rule when you are ready to apply it.

To allow SSH for one instance with the ID ba2c95e9-1cdf-4295-8253-3fee371374d9 which is disabled by default, create this rule:

$ triton fwrule create -d "FROM any TO vm ba2c95e9-1cdf-4295-8253-3fee371374d9 ALLOW tcp PORT 22"
Created firewall rule 0b3adeaf-cfd9-4cbc-a566-148f569c050c (disabled)

To enable a rule, run triton instance enable-firewall. For example:

$ triton instance enable-firewall 0b3adeaf-cfd9-4cbc-a566-148f569c050c
Enabling firewall for instance "0b3adeaf-cfd9-4cbc-a566-148f569c050c"

Note that both of these example rules allow SSH traffic. If there is more than one rule that affects incoming traffic, the least restrictive rule applies. In this case, the rule that allows SSH traffic to all instances in the data center is applied.

However, if you were to disable that rule, only the second rule would apply.

Allow HTTP traffic

To allow HTTP connections from any IP address to all instances in a data center, create the following rule:

$ triton fwrule create "FROM any TO all vms ALLOW tcp PORT 80"
Created firewall rule d4f01808-dd52-4fb8-b0e8-951d888e1aaa

To allow both HTTP and HTTPS connections to all instances in a data center, update the rule to include port 443:

$ triton fwrule create "FROM any TO all vms ALLOW tcp (PORT 80 AND PORT 443)" d4f01808-dd52-4fb8-b0e8-951d888e1aaa
Created firewall rule d4f01808-dd52-4fb8-b0e8-951d888e1aaa

Multiple web and database server setup

Suppose that you run a website in which two web servers talk to two database servers. You can use tags to identify each kind of instance.

Give each of the web servers a role tag with the value www. For example:

$ triton instance tag set -w d06bb2bd-e18d-63c0-acce-b125ee36b9e0 role=www
{
  "role": "www"
}

And give the database servers a role tag with the value db. For example:

$ triton instance tag set -w 2171717d-a15c-6a6d-83ae-f1610f552c13 role=db
{
  "role": "db"
}

Next, create firewall rules to control access to these instances. Recall that by default, instances with firewall enabled block all incoming TCP and UDP traffic. We now need to open up the necessary ports for each instance role.

First, we want to allow communication between the web servers and the database servers. We do so by creating this rule:

$ triton fwrule create "FROM tag role = www TO tag role = db ALLOW tcp PORT 5432"
Created firewall rule 82cb2ab3-ff43-4b05-955a-66fcde84c5f8

This rule allows only the web servers to connect to the database servers on the standard PostgreSQL port (5432). All other inbound traffic to the database servers is blocked.

Next, we want to allow HTTP and HTTPS traffic to the web servers from anywhere on the Internet. We do so by creating this rule:

$ triton fwrule create "FROM any TO tag role = www ALLOW tcp (PORT 80 AND PORT 443)"
Created firewall rule 36548d03-0436-44d5-bf7b-383e693fd46e

After you have created both of these rules, instances with the tag role set to db will have the following behavior:

• Allow incoming TCP traffic on port 5432 from instances with tag role=www
• Allow all outgoing traffic
• Allow incoming ping requests
• Block all other incoming traffic

And instances with the tag role set to www will have the following behavior:

• Allow incoming TCP traffic on ports 80 and 443 from any IP address
• Allow outgoing TCP traffic on port 5432 to instances with tag role=www
• Allow all outgoing traffic
• Allow incoming ping requests
• Block all other incoming traffic

Creating additional instances with the role tags listed above will automatically apply these rules. For example, to apply the web server rules to a new server, just give it tag role=www.

Bastion host setup

In this setup, we have the following requirements:

1. Instances are allowed access from the bastion host on all ports
2. Instances block all other connections
3. The bastion host accepts SSH connections from only certain IP addresses and no others

Recall that the default policy is to block all incoming connections, so requirement 2 is taken care of. We then need two rules to handle the other requirements.

The example bastion host has the ID 99a640b6-476f-ee0b-e2b0-b5146d6beb9f. To allow all traffic from the bastion host to all of the instances, you would create this rule:

$ triton fwrule create "FROM vm 99a640b6-476f-ee0b-e2b0-b5146d6beb9f TO all vms ALLOW tcp PORT all"
Created firewall rule 23831805-bae6-41f0-8f04-bef1191443d4

The second requirement is that the bastion host should accept SSH connections only from certain IP addresses. To do that you use this rule:

$ triton fwrule create "FROM (ip 172.1.1.110 OR ip 172.1.1.111) TO vm 99a640b6-476f-ee0b-e2b0-b5146d6beb9f ALLOW tcp PORT 22"
Created firewall rule 5494849f-bbaa-41a9-b92e-21d1d61bf656

When you create new instances, they will have access from the bastion host.